The link in the email goes to a legitimate hacked site which then tries to load one or more of the following three scripts:[donotclick]ftp.hotwindsaunausa.com/clingy/concord.js[donotclick]katchthedeal.sg/stilling/rifts.js[donotclick]ftp.navaglia.it/gazebo/cowboys.js

The victim is then directed to a malware payload at [donotclick]frankcremascocabinets.com/topic/able_disturb_planning.php hosted on 184.95.37.102 (Secured Servers, US / Jolly Works Hosting, Philippines). This domain is a hijacked GoDaddy domain and there are several others on the same server (listed below in italics).